That's not worrying at all. Considering you need the passcode of the device to do so. If they have the passcode, or there isn't one, then the attacker can just open the app and look without extracting the files. These aren't passwords stored in plaintext. This is plaintext stored in plaintext.